Manage your subscription

Security hole closes Microsoft Passport

By Duncan Graham-Rowe

Microsoft disabled part of Passport, its virtual wallet, for four days after a software developer alerted them to a security flaw capable of divulging users’ personal details, including credit card numbers.

The security weakness, discovered by Marc Slemko, a software developer in Washington state, made it possible to obtain password and credit card details of a user from their Microsoft Passport just by sending an email to their Hotmail account.

Slemko withheld from publishing details of the exploit on his website until he had given Microsoft enough time to fix the holes.

Passport was launched in 1999 as a one-stop-shop for online authentication. Besides using it to access web-based email, such as Hotmail, surfers can also use it as an electronic wallet, storing credit card details to speed up online purchases.

Advertisement

“There is no evidence that anyone has taken advantage of this exploit, or that any customer data has been compromised,” a Microsoft spokesman told New Scientist. “This is a sophisticated exploit that would take considerable expertise.”

15 minute window

Slemko explains that at the heart of the exploit is a 15-minute window of opportunity. This is the time period for which cookies stored on a user’s computer after they log on remain valid.

Once the attacker has the cookies, he can use them to pose as the user. But after quarter of an hour, the user has to log on again and is issued new cookies, meaning the stolen ones no longer work.

Getting the cookies simply requires sending an email, says Slemko. “I can send an email to a Hotmail user that, if they read it within 15 minutes of logging on, will steal all the information from their Passport wallet,” he says. Typical users open any new emails as soon as they log-on, he adds.

“The user does not know this has happened, and did nothing other than read an email sent to their Hotmail account,” Slemko says.

The exploit does not compromise the user’s operating system, Slemko told New Scientist, and it does not compromise the server’s security. “It simply tricks the user’s web browser into sending the attacker information that it has legitimate access to.”

Single password

Slemko’s attack tarnishes Microsoft’s plan to use Passport as the centerpiece of its .Net services for e-commerce. It also raises fresh concerns about having a single password authentication system to gain access to a number of different services.

There are 200 million Passport users, but only two million have actually used it so far to create wallets. But according to Microsoft more than 70 sites are currently in the process of deploying Passport’s authentication technology.

Among them are Egg.com, the Prudential’s online banking service, who were quick to reassure customers. Dana Cuffe, of Egg.com, said that Egg is still committed to Microsoft’s .Net strategy and Passport. “But we will not roll out software that will in any way risk the security of Egg customers,” she said.